Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 138545

Summary: app-office/openoffice <2.0.3 - multiple vulnerabilities (CVE-2006-2199, CVE-2006-2198, CVE-2006-3117)
Product: Gentoo Security Reporter: ChazeFroy <chazefroy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bugs, eselect, jakuhrlinux, jesus.de.santos, jon, maekke, office, rockoo, sgtphou, siryes
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://www.openoffice.org/security/bulletin-20060629.html
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description ChazeFroy 2006-06-29 21:34:39 UTC
*  performance improvements: for example, a 23 percent improvement in certain Calc benchmarks
* further improvements to file format compatibility with Microsoft Office files
* new email integration features for users wanting to send emails in Microsoft file formats
* more control over how exported PDF documents will display when opened in a PDF reader
* support for more languages and improvements in hyphenation and thesaurus
* support for Intel architecture for Mac OS X plus improved Mac OS X System integration
* built-in check for updated versions
Comment 1 solar (RETIRED) gentoo-dev 2006-06-29 23:09:37 UTC
Youi left out the most important part from the release notes..

We also recommend OpenOffice.org 2.0.3 because it includes important security fixes. These have not been exploited but all users of any prior version of OpenOffice.org are urged to download 2.0.3. A standalone patch will be available soon. 
Comment 2 Andres Pereira (RETIRED) gentoo-dev 2006-06-29 23:15:42 UTC
http://www.openoffice.org/security/bulletin-20060629.html

Security Bulletin 2006-06-29

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:

    * Java Applets, CVE-2006-2199
    * Macro, CVE-2006-2198; and
    * File Format, CVE-2006-3117
Comment 3 Andres Pereira (RETIRED) gentoo-dev 2006-06-29 23:20:31 UTC
*** Bug 138546 has been marked as a duplicate of this bug. ***
Comment 4 Andres Pereira (RETIRED) gentoo-dev 2006-06-29 23:21:25 UTC
*** Bug 138547 has been marked as a duplicate of this bug. ***
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2006-06-30 03:39:53 UTC
*** Bug 138567 has been marked as a duplicate of this bug. ***
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-30 04:35:29 UTC
cc maintainers
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 08:07:17 UTC
openoffice please provide updated ebuilds.
Comment 8 Jon Severinsson 2006-06-30 13:35:06 UTC
And 2.0.3 is supposed to work out-of-the box as native amd64!
I want ;)
Comment 9 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-01 00:11:01 UTC
Just got back from GUADEC, so give me some time to get back on speed. Anyway, openoffice-bin should be done soon, source-built version could take a little longer, as ooo-build didn't provide a release until now (though there is one for RC7 which I could maybe use, didn't check until now).
Comment 10 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-02 22:57:37 UTC
New version of openoffice-bin and openoffice are in now, please test accordingly
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-03 00:46:06 UTC
Thx Andreas.

Arches please test and mark stable.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2006-07-04 17:42:36 UTC
This will also cause eselect-1.0.2 to go stable.  Might want to verify with those folks that they are ready for it.
Comment 13 Lars Weiler (RETIRED) gentoo-dev 2006-07-05 00:49:09 UTC
Stable on ppc.
Comment 14 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-05 01:01:09 UTC
(In reply to comment #12)
> This will also cause eselect-1.0.2 to go stable.  Might want to verify with
> those folks that they are ready for it.
> 

And also: eselect-oodict and all the myspell dictionaries, otherwise the users won't have the possibility to spell check anymore. Both should be straightforward though.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-05 02:36:37 UTC
CC'ing eselect.
Comment 16 Jason Wever (RETIRED) gentoo-dev 2006-07-06 08:45:31 UTC
SPARC is ready to go stable once we hear from the eselect folks.
Comment 17 Brian Beardall 2006-07-08 23:16:30 UTC
eselect and oodict don't work on AMD64, so openoffice-bin and a multilib install on AMD64 don't have spellcheck, and this prevents me from using openoffice-bin 2.0.3
Comment 18 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-08 23:41:14 UTC
(In reply to comment #17)
> eselect and oodict don't work on AMD64, so openoffice-bin and a multilib
> install on AMD64 don't have spellcheck, and this prevents me from using
> openoffice-bin 2.0.3
> 

That has already been fixed yesterday, do an emerge sync and try again
Comment 19 Danny van Dyk (RETIRED) gentoo-dev 2006-07-11 01:53:46 UTC
Eselect team is fine with stabling 1.0.2. 1.0.3 is no option as it's still in
p.mask due to one unported module.
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2006-07-12 06:13:24 UTC
sparc stable.
Comment 21 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-14 04:52:05 UTC
@x86, AMD-64-herd: At least openoffice-bin should be trivial to mark stable, so any hope in getting this done soonish? 
Comment 22 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-14 04:54:42 UTC
Hmm, obviously both amd64 and x86-herds were never added, done this now. btw, as the title does not point this out: This security issues affects both openoffice and openoffice-bin
Comment 23 Christian Faulhammer (RETIRED) gentoo-dev 2006-07-14 05:55:25 UTC
1) -bin emerges fine

2) QA: there are a lot of textrels...should I post the log?

3) tested some functions in writer, impress and calc (import of MS documents e.g.) -> works

Sorry no time to test the normal build...am leaving for the weekend soon.
Comment 24 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-14 10:22:02 UTC
(In reply to comment #23)
> 2) QA: there are a lot of textrels...should I post the log?

No, those are known. But as we use the upstream binary, there is nothing we can do about it anyway
Comment 25 Luis Medinas (RETIRED) gentoo-dev 2006-07-14 19:02:31 UTC
amd64 stable
Comment 26 Luis Medinas (RETIRED) gentoo-dev 2006-07-14 19:04:09 UTC
(In reply to comment #8)
> And 2.0.3 is supposed to work out-of-the box as native amd64!
> I want ;)
> 

regarding to this comment i didn't tried to build from source afaik it doesn't work. But for somehow it works please cc amd64 team or me so we can start testing it and keyword.

Thanks
Comment 27 Markus Meier gentoo-dev 2006-07-15 07:10:21 UTC
I tried building it on x86 (with USE="firefox"), but it failed because dev-libs/nspr-4.6.2 is needed (stable version is 4.6.1-r2). See bug #139453. 
Comment 28 Jesus de Santos Garcia 2006-07-15 09:32:00 UTC
x86 here. After several hours compiling it works fine with this options:

[ebuild   R   ] app-office/openoffice-2.0.3  USE="eds gnome gtk pam xml -binfilter -cairo -debug -firefox -java -kde -ldap -mono -odk" LINGUAS="-af -ar -be_BY -bg -bn -bs -ca -cs -cy -da -de -el -en -en_GB -en_US -en_ZA -es -et -fa -fi -fr -gu_IN -he -hi_IN -hr -hu -it -ja -km -ko -lt -mk -nb -nl -nn -nr -ns -pa_IN -pl -pt -pt_BR -ru -rw -sh_YU -sk -sl -sr_CS -st -sv -sw_TZ -th -tn -tr -ts -vi -xh -zh_CN -zh_TW -zu" 0 kB

I have tested each module (write, presentation...)
Comment 29 Joshua Jackson (RETIRED) gentoo-dev 2006-07-15 15:58:13 UTC
x86 is done after many hours of compiling :(

>^.^<
Comment 30 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-15 23:35:59 UTC
I've removed the vulnerable versions now from the tree, so I think we should be fine for the GLSA

Reopening as this is really not fixed until this is issued
Comment 31 Chris Gianelloni (RETIRED) gentoo-dev 2006-07-16 08:31:10 UTC
Updated in the 2006.1 snapshot, so I'm removing release@gentoo.org
Comment 32 Andreas Proschofsky (RETIRED) gentoo-dev 2006-07-18 10:39:48 UTC
So what is keeping the GLSA from being issued?
Comment 33 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-22 13:16:55 UTC
Just returning from vacation, I'll look into it tomorrow.
Comment 34 Stefan Cornelius (RETIRED) gentoo-dev 2006-07-28 13:51:21 UTC
GLSA 200607-12

Finally. Thanks everybody!